b'           OFFICE OF \n\n    THE INSPECTOR GENERAL \n\n\nSOCIAL SECURITY ADMINISTRATION \n\n\n\n THE SOCIAL SECURITY ADMINISTRATION\'S\n\n   APPROVAL AND MONITORING OF THE \n\n           USE OF SOFTWARE \n\n\n      October 2010   A-14-10-21082   \n\n\n\n\n\n  EVALUATION \n\n    REPORT\n\n\x0c                                     Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                    Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n   \xe2\x80\xa2\t Conduct and supervise independent and objective audits and \n\n        investigations relating to agency programs and operations. \n\n   \xe2\x80\xa2\t   Promote economy, effectiveness, and efficiency within the agency.\n   \xe2\x80\xa2\t   Prevent and detect fraud, waste, and abuse in agency programs and \n\n        operations. \n\n   \xe2\x80\xa2\t   Review and make recommendations regarding existing and proposed\n        legislation and regulations relating to agency programs and operations.\n   \xe2\x80\xa2\t   Keep the agency head and the Congress fully and currently informed of\n        problems in agency programs and operations.\n\n   To ensure objectivity, the IG Act empowers the IG with:\n\n   \xe2\x80\xa2\t Independence to determine what reviews to perform.\n   \xe2\x80\xa2\t Access to all information necessary for the reviews.\n   \xe2\x80\xa2\t Authority to publish findings and recommendations based on the reviews.\n\n                                      Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                             SOCIAL SECURITY\n\nMEMORANDUM\n\nDate:   October 27, 2010                                                               Refer To:\n\nTo:     The Commissioner\n\nFrom:   Inspector General\n\nSubject: The Social Security Administration\xe2\x80\x99s Approval and Monitoring of the Use of Software\n        (A-14-10-21082)\n\n\n        OBJECTIVE\n        Our objective was to assess the Social Security Administration\xe2\x80\x99s (SSA) policy and\n        procedures for approving and monitoring software on employee and contractor\n        computers.\n\n        BACKGROUND\n        The Federal Information Security Management Act of 2002 (FISMA)1 requires that\n        Federal agencies develop, document, and implement an Agency-wide information\n        security program for the information and information systems that support the agencies\xe2\x80\x99\n        operations and assets.2 FISMA also requires that heads of Federal agencies delegate\n        authority to the Chief Information Officer (CIO) to ensure compliance with FISMA\xe2\x80\x99s\n        requirements.3 The CIO should appoint a senior agency information security officer4 to\n        head an office with the mission and resources to assist in ensuring Agency compliance\n        with FISMA.5\n\n        The National Institute of Standards and Technology (NIST) recommends that\n        organizations identify what types of software installations are prohibited (for example,\n        software that is only for personal or nongovernmental use and software that may be\n\n\n        1\n            Pub. L. No. 107-347, Title III, 44 U.S.C. \xc2\xa7\xc2\xa7 3541-3549.\n        2\n            Pub. L. No. 107-347, Title III, Section 301 (b)(1) \xc2\xa7 3544 (b), 44 U.S.C. \xc2\xa7 3544 (b).\n        3\n            Pub. L. No. 107-347, Title III, Section 301 (b)(1) \xc2\xa7 3544 (a)(3), 44 U.S.C. \xc2\xa7 3544 (a)(3).\n        4\n            SSA\xe2\x80\x99s Chief Information Security Officer is the designated Senior Agency Information Security Officer.\n        5\n            Pub. L. No. 107-347, Title III, Section 301 (b)(1) \xc2\xa7 3544 (a)(3)(A)(iv), 44 U.S.C. \xc2\xa7 3544 (a)(3)(A)(iv).\n\x0cPage 2 - The Commissioner\n\n\nmalicious or suspect).6 Malicious software/code or malware refers to a covertly inserted\nprogram designed to compromise the integrity of the victim\xe2\x80\x99s computer, data, or\napplications.\n\nSSA\xe2\x80\x99s Information Systems Security Handbook (ISSH) states that SSA managers and\nusers must take appropriate actions to secure and prevent the improper use, damage,\nor destruction of SSA hardware and software.7 Further, the only software authorized for\nuse on SSA computers is software purchased through the Agency-sanctioned\nrequisition process or developed, evaluated, and documented in-house.8 Personally\nowned software is prohibited on SSA computers unless its use is critical to an SSA\nfunction and there is no comparable Agency software solution.9 In these instances,\nmanagers must submit written waiver requests with justification to the Component\nSecurity Officer (CSO).10 When this waiver is given, the local manager is responsible\nfor monitoring the software.11\n\nThe Office of Telecommunications and Systems Operations (OTSO) scans and\nanalyzes network traffic for system vulnerabilities and exploits to ensure compliance\nwith Agency configuration settings and software requirements. SSA uses an intrusion\ndetection system (IDS)12 to view network traffic in real time. When a violation is\ndetected, the IDS sends an alert to a console that is monitored by an operator. SSA\nuses Threat Manager, a signature-based,13 real-time anti-virus software to monitor\nworkstations. Additionally, SSA uses a software package called the System Center\nConfiguration Manager (SCCM) that keeps an inventory of all \xe2\x80\x9cexecutable\xe2\x80\x9d14 files on\nemployee or contractor Windows-based computers. OTSO staff uses this inventory to\nidentify unauthorized software. SSA monitors about 129,000 devices every 7 days.\n\n\n\n6\n NIST Special Publication 800-53 Revision 3, Recommended Security Controls for Federal Information\nSystems and Organizations, Section SA-7, page F-100, August 2009.\n7\n    SSA\xe2\x80\x99s ISSH Hardware and Software Security Policy, Chapter 11, \xc2\xa7 11.3, revised August 2009.\n8\n    SSA, ISSH, Chapter 11 \xc2\xa7 11.3.2.\n9\n    Id.\n10\n  Id. The CSO is responsible for advising and working with management to ensure the implementation of\nFederal laws and directives and SSA security policy in their area of jurisdiction.\n11\n     SSA, ISSH, Chapter 11 \xc2\xa7 11.3.2.\n12\n  An IDS is a combination of hardware and software products that is used to analyze network traffic\npassing through a single point on the network. The software analyzes the data searching for specific\nsignatures (known patterns of traffic) of malicious intent.\n13\n     Signature-based detection involves searching for known malicious patterns in software programs.\n14\n  An executable file causes a computer ". . . to perform indicated tasks according to encoded\ninstructions.\xe2\x80\x9d\n\x0cPage 3 - The Commissioner\n\n\nWe obtained information for this review through interviews with SSA\xe2\x80\x99s staff responsible\nfor software approval and monitoring. We reviewed relevant laws, regulations,\nstandards, and guidelines. In addition, we obtained and reviewed SSA\xe2\x80\x99s current\nsoftware security policy and rules of behavior. Further, we obtained software security\nincident data from SSA\xe2\x80\x99s Change, Asset, and Problem Reporting System.15 Lastly, we\nrequested some examples of software security incidents detected through the Agency\xe2\x80\x99s\nnetwork scanning. SSA staff provided seven security incidents that occurred in\nNovember 2009.\n\nRESULTS OF REVIEW\nBased on our evaluation, we determined that SSA had a software approval and\nmonitoring policy for employees\xe2\x80\x99 and contractors\xe2\x80\x99 use of software on Agency computers.\nHowever, we determined the Agency\xe2\x80\x99s software approval and monitoring policy needed\nimprovement. In addition, we found SSA employees, managers, and contractors did not\nalways comply with the Agency\xe2\x80\x99s software approval policy by obtaining a waiver before\ninstalling non-standard software.16 Further, in all seven software-related security\nincidents reviewed, we determined that no documented disciplinary action had been\ntaken against the employee for not complying with the Agency\xe2\x80\x99s software approval\npolicy.17 As indicated below, SSA determined that five of the seven incidents were\nunintentional and did not warrant disciplinary action. We also found SSA\xe2\x80\x99s monitoring of\nknown Agency-wide software configurations was not sufficient. Moreover, we were\nunable to determine whether local management was effectively monitoring software\nbecause only one software waiver was submitted for approval.\n\nSSA\xe2\x80\x99s Software Approval Policy Needed Improvement\n\nFor all seven security incidents reviewed, employees and contractors did not submit\nwaivers in accordance with the ISSH18 to Agency security offices for approval before\ninstalling non-standard software.19 One software waiver request was submitted for\n15\n  The Change, Asset, and Problem Reporting System is SSA\xe2\x80\x99s approved product used to manage\nsystems changes, calls, problems, and inventory.\n16\n  We define software not purchased through the Agency-sanctioned requisition process or not\ndeveloped, evaluated, and documented in house as non-standard software.\n17\n  In its initial response to these concerns, SSA stated, \xe2\x80\x9cWe will take disciplinary action if appropriate\nwhen an employee consciously installs unapproved software. If someone does so unknowingly, however,\ndisciplinary action is probably unwarranted. In the two incidents OIG describe where the software\ncontained Trojan horses, pg. 5, 2nd full paragraph, it does appear employees downloaded unauthorized\nsoftware onto their workstations. For the remaining cases, employees did so unwittingly, and we do not\nbelieve disciplinary action was warranted. Malware is usually hidden, and often users are unaware that\nunauthorized software is being installed on their computer. It is inappropriate to discipline someone in\nmost of these situations. We must judge each case on its own merits and take action accordingly.\xe2\x80\x9d\n18\n     SSA, ISSH, Appendix N, supra.\n19\n   Security offices refer to OTSO and the Office of Electronic Information Exchange. Office of Electronic\nInformation Exchange staff now reports to the CIO.\n\x0cPage 4 - The Commissioner\n\n\napproval through the Office of the Chief Information Officer (OCIO). This waiver should\nhave been approved by the appropriate security office.\n\nThe ISSH indicates that only software purchased through the Agency-sanctioned\nrequisition process or developed, evaluated, and documented in-house is authorized for\nuse on SSA computers.20 Further, exceptions for use of personally owned software\nmust be approved via the waiver request process with written justification.21 Managers\nmust submit waiver requests to the CSO.22 In turn, the CSO is supposed to submit the\nrequest to SSA\xe2\x80\x99s security offices.23\n\nThe Government Accountability Office (GAO)24 indicated in its study of leading\norganizations in information security management that a central management focal\npoint successfully fulfills the challenges of implementing security practices that gain\npublic confidence and protect Government services, privacy, and sensitive and national\nsecurity information. Further, a central management focal point is key to ensuring the\nvarious activities associated with managing risks are carried out.25\n\nSSA should consider revising its software approval policy to clearly indicate that\nsoftware authorized by the local manager must first go through a central management\nfocal point, such as the OCIO, as part of the waiver approval process. If SSA does not\nrevise its software approval policy, the potential exists for software to be installed on\nAgency computers without proper authorization. Consequently, the risk that malicious\ncode could compromise or delete sensitive data and impede network operations would\nstill exist. A revised policy would help minimize this risk.\n\nSSA Needed to Comply with and Enforce Its Software Approval Policy\n\nFor all seven security incidents reviewed, SSA employees and contractors did not\ncomply with the Agency\xe2\x80\x99s software approval policy. We received documentation\nconfirming one software waiver request26 had been submitted to the OCIO instead of\n\n20\n     SSA, ISSH, Chapter 11 \xc2\xa7 11.3.2.\n21\n     Id.\n22\n     Id.\n23\n SSA, Appendix N: Requests for Exception/Waiver, Attachment B: Instructions for Completing General \n\nWaiver Request Form, http://eis.ba.ssa.gov/ssasso/issh/appendix/appendixn.html. \n\n24\n GAO Executive Guide: Information Security Management, Learning from Leading Organizations, \n\nGAO/AIMD-98-68, page 3, May 1998. \n\n25\n  GAO, Federal Information System Controls Audit Manual, Section 3.1 Security Management (SM), SM\n\n1.2. A Security Management Structure Has Been Established, Page 158.\n26\n  The waiver facilitates the need for Office of Financial Policy and Operations to print Portable Document\nFormat (PDF) from Social Security Online Accounting and Reporting System, which runs in Unix. The\nonly supported method of printing PDFs from UNIX is CUPS, which is freeware.\n\x0cPage 5 - The Commissioner\n\n\nthe appropriate security offices. SSA\xe2\x80\x99s software approval policy states that waivers\nshould be forwarded to the appropriate CSO. In turn, the CSO should forward the\nwaiver to the appropriate security offices27 for approval. SSA policy does not require\nthat the waiver be approved by a central management focal point, such as the OCIO.\n\nFor the period October 30, 2009 through September 21, 2010, SSA had approximately\n197 malware incidents reported in its Change, Asset, and Problem Reporting System.\nThe goal of malware varies from gaining unauthorized access to simply disabling a\nsystem. Malware is typically delivered through email, but Internet relay chat channels28\nand websites can also place malicious code on a system. For the approximate 18\nincidents per month, an individual could have gained unauthorized access or disabled\nSSA\xe2\x80\x99s systems. However, SSA staff does monitor the Agency\xe2\x80\x99s system and remediates\ndetected incidents.\n\nAgency staff provided seven examples of incidents where malware was installed on\nAgency computers, and no software waiver was submitted. Of these seven incidents,\nSSA determined that, in five cases, the installed software contained keyloggers,29 and in\ntwo instances, the software contained Trojan horses.30 These vulnerabilities were\ncaused by the installation of non-standard software on workstations.\n\nNon-standard software may contain malicious code (for example, viruses, worms,31 or\nTrojan horses) that could infect the Agency\xe2\x80\x99s operating system. In addition, a Trojan\nhorse program could be used to hijack a computer program to conduct file operations,\nformat a disk, log keystrokes, etc. These incidents could cause SSA\xe2\x80\x99s network to\noperate inefficiently or ineffectively. Further, the malicious software could extract\npersonally identifiable information to be used for identity theft purposes.\n\nAlthough we only reviewed seven software-related security incidents, the potential for a\nlarger issue may exist if adequate controls are not implemented to prevent the\ninstallation of unauthorized software. Further, additional controls are needed to ensure\nthat employees submit the required waivers before installing non-standard software.\n\n\n27\n     SSA, ISSH, Appendix N, supra.\n28\n     Internet relay chat is a form of real-time Internet text messaging (chat).\n29\n  A keylogger application is malicious software that can capture sensitive information, such as SSA\ncredentials or other credentials accessed from a workstation (personal email accounts, passwords, etc.)\nand transmit information to a third party who could gain unauthorized access to the Agency\xe2\x80\x99s systems or\nworkstation user personal accounts.\n30\n  A Trojan horse appears to perform a desirable function for the user but instead facilitates unauthorized\naccess to the user\'s computer system.\n31\n  A worm is a self-replicating program that uses a network to send copies of itself to other computers on\nthe network and may do so without user intervention. Worms usually harm the network, if only by\nconsuming bandwidth.\n\x0cPage 6 - The Commissioner\n\n\nFor example, SSA should consider software tools that prevent unauthorized software\nfrom being installed.\n\nThe ISSH indicates that only software purchased through the Agency-sanctioned\nrequisition process or that has been developed, evaluated, and documented in-house is\nauthorized for use on SSA computers.32 In addition, the ISSH indicates only SSA-\nauthorized software may be installed on Agency devices,33 and any exceptions involving\nuse of personally owned software should be documented with the manager submitting a\nwaiver in writing detailing the justification for the use of such software. If the use of non\nstandard software is approved, the local manager is responsible for monitoring it.34\n\nFurther, the ISSH35 describes the behavior expected of all SSA personnel, contractors,\nand other external Government agency users of SSA\'s automated information systems\nresources. The ISSH also indicates that users must not install or use personally owned\nsoftware on SSA\xe2\x80\x99s microcomputers unless prior management approval is obtained.\nAdditionally, certification from SSA\xe2\x80\x99s Office of Information Technology Security Policy is\nrequired before using shareware and freeware on such computers.36 Managers must\nensure corrective action is taken if an infraction is discovered.37 Noncompliance could\nresult in one of several available penalties.38\n\nWe contacted the software approval offices and the managers involved with the seven\nincidents. We were told by the supervising managers we contacted that no documented\ndisciplinary action had been taken against the 5 employees who unintentionally installed\nthe non-standard software; however, the Agency agrees that appropriate disciplinary\naction should be taken when employees consciously install unauthorized software.\nSSA should consider issuing periodic reminders to managers, contractors, and\nemployees concerning the use of non-standard software and the consequences for not\ncomplying with this policy and impose disciplinary action, when appropriate.\n\nOn June 8, 2010, the Agency issued a reminder that installation and use of\nunauthorized software is prohibited.\n\n\n\n32\n     SSA, ISSH, Chapter 11 \xc2\xa7 11.3.2.\n33\n     Id.\n34\n     Id.\n35\n  SSA, ISSH, Rules of Behavior for Users and Managers of SSA\'s Automated Information Resources\n(March 23, 2001), http://eis.ba.ssa.gov/ssasso/issh/rulesofbehavior.htm.\n36\n     SSA, ISSH, Rules of Behavior, supra at Section 3.9.\n37\n     Id.\n38\n     SSA\xe2\x80\x99s ISSH, Rules of Behavior, supra at Section 4.\n\x0cPage 7 - The Commissioner\n\n\nSSA\xe2\x80\x99s Local Software Needed Monitoring\n\nSSA had an Agency-wide software monitoring policy and process in place; however, we\ndetermined that the process was not sufficient. We received documentation confirming\none software waiver request39 had been submitted to the OCIO and not the appropriate\nsecurity offices. However, SSA staff provided seven incidents where software was\ninstalled and no software waiver was submitted. Of these seven incidents, five were\nidentified as keyloggers and two were Trojan horses. These incidents were caused by\nthe installation of non-standard software on workstations. Since no waiver requests\nwere submitted to the appropriate security offices, we were unable to determine\nwhether local managers were monitoring the use of non-standard software.40\n\nSSA scans and analyzes network traffic for system vulnerabilities to ensure compliance\nwith Agency configuration and software requirements. SCCM documents employee\nworkstation software41 inventory. However, the Agency is limited in its monitoring\nefforts to identifying only malicious signatures that are known to the Agency.\n\nSSA should consider revising its software monitoring policy to clearly indicate that\nOTSO has the primary responsibility for software monitoring and oversees coordination\nwith local managers. OTSO is better equipped to identify software security incidents\nand related vulnerabilities. We reiterate our suggestion that the Agency issue periodic\nreminders to managers, contractors, and employees concerning the use of non\nstandard software and the consequences for not complying with this policy. In addition,\nthe Agency should consider obtaining scanning tools that can identify malicious files\nother than Windows-based files.\n\nCONCLUSION AND RECOMMENDATIONS\n\nWe found SSA had an approval and monitoring policy for employees and contractors\xe2\x80\x99\nuse of software on Agency computers. However, we determined this policy needed\nimprovement.\n\nMoreover, our Fiscal Year 2003 through 2009 Information Technology Management\nLetters cited deficiencies in workstation software monitoring and recommended SSA\nupdate its policies and procedures to timely detect and remove unlicensed and\nunauthorized software from workstations.\n\n\n\n\n39\n     SSA\xe2\x80\x99s ISSH, Rules of Behavior, supra at Section 4.\n40\n     See footnote 17.\n41\n     Microsoft Windows-based systems.\n\x0cPage 8 - The Commissioner\n\n\nBased on our report findings, we recommend SSA:\n\n   1. \t Consider revising its software approval policy to clearly indicate that software\n        authorized by the local manager must first go through a central management\n        focal point, such as the OCIO, as part of the waiver approval process.\n\n   2. \t Issue periodic reminders to employees and contractors concerning the Agency\xe2\x80\x99s\n        software approval and monitoring policy.\n\n   3. \t Enforce its software approval and monitoring policy by taking disciplinary action,\n       where appropriate, for installing unauthorized software on Agency computers.\n\n   4. \t Have all software monitoring directed by OTSO with implementation by local\n        managers.\n\n   5. \t Obtain electronic tools to inventory all types of software on Agency computers\n        and prevent unauthorized software from being installed.\n\nAGENCY COMMENTS AND OIG RESPONSE\nSSA agreed with our recommendations. The full text of SSA\xe2\x80\x99s comments is included in\nAppendix C.\n\n\n\n\n                                                 Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                     Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\nAPPENDIX C \xe2\x80\x93 Agency Comments\nAPPENDIX D \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                                Appendix A \n\n\nAcronyms\n CIO           Chief Information Officer\n\n CSO           Component Security Officer\n\n FISMA         Federal Information Security Management Act of 2002\n\n GAO           Government Accountability Office\n\n IDS           Intrusion Detection System\n\n ISSH          Information Systems Security Handbook\n\n NIST          National Institute of Standards and Technology\n\n OCIO          Office of the Chief Information Officer\n\n OTSO          Office of Telecommunications and Systems Operations\n\n PDF           Portable Document Format\n\n Pub. L. No.   Public Law Number\n\n SCCM          System Center Configuration Manager\n SM            Security Management\n\n SP            Special Publication\n\n SSA           Social Security Administration\n U.S.C.        United States Code\n\x0c                                                                       Appendix B\n\nScope and Methodology\nTo accomplish our objective, we:\n\n   \xe2\x80\xa2\t Interviewed Social Security Administration (SSA) staff responsible for software\n      approval and monitoring in the Agency.\n\n   \xe2\x80\xa2\t Interviewed personnel from SSA\xe2\x80\x99s Offices of the Chief Information Officer (OCIO)\n      and Telecommunications and Systems Operations.\n\n   \xe2\x80\xa2\t Reviewed applicable Federal laws, directives, and other guidance as well as\n      industry standards and best practices.\n\n   \xe2\x80\xa2\t Obtained software security incident data from SSA\xe2\x80\x99s Change, Asset, and Problem\n      Reporting System.\n\n   \xe2\x80\xa2\t Requested examples of software security incidents detected through the Agency\xe2\x80\x99s\n      network scanning.\n\n   \xe2\x80\xa2\t Interviewed supervisors responsible for corrective action in the event of\n      discovered software installation infractions related to incident reports reviewed.\n\nSpecifically, we examined the:\n\n   \xe2\x80\xa2\t Federal Information Security Management Act of 2002.\n\n   \xe2\x80\xa2\t Government Accountability Office (GAO) Federal Information System Controls\n      Audit Manual, February 2009.\n\n   \xe2\x80\xa2\t GAO Executive Guide: Information Security Management, Learning from Leading\n      Organizations, GAO/AIMD-98-68, May 1998.\n\n   \xe2\x80\xa2\t Revisions to Office of Management and Budget Circular A-123, Management\xe2\x80\x99s\n      Responsibility for Internal Control, December 21, 2004.\n\n   \xe2\x80\xa2\t National Institute of Standards and Technology (NIST) Special Publication (SP)\n      800-53: Revision 3 Recommended Security Controls for Federal Information\n      Systems and Organizations, August 2009.\n\n   \xe2\x80\xa2\t NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook,\n      October 1995.\n\n\n\n\n                                           B-1\n\n\x0c     \xe2\x80\xa2\t Information Systems Security Handbook, Chapter 11: Hardware and Software\n        Security Policy.\n\n     \xe2\x80\xa2\t Fiscal Year 2008 and 2009 Information Technology Management Letters.\n\n     \xe2\x80\xa2\t SSA Office of the Inspector General, Follow-Up: The Social Security\n        Administration\xe2\x80\x99s Computer Security Program Compliance (A-14-09-19048),\n        September 2009.\n\nThe results of our review are based on the above information provided by SSA. We\nperformed our review in December 2009 through September 2010 in Baltimore,\nMaryland. The entities reviewed were the OCIO and Deputy Commissioner for\nSystems. We conducted our review in accordance with the Council of the Inspectors\nGeneral on Integrity and Efficiency\xe2\x80\x99s Quality Standards for Inspections.1\n\n\n\n\n11\n  In January 2009, the President\xe2\x80\x99s Council on Integrity and Efficiency was superseded by the Council of\nthe Inspectors General on Integrity and Efficiency, Inspector General Reform Act of 2008, Pub. L. No.\n110-409 \xc2\xa7 7, 5 U.S.C. App. 3 \xc2\xa7 11.\n\n\n                                                 B-2\n\n\x0c                  Appendix C\n\nAgency Comments\n\x0c                                       SOCIAL SECURITY\n\nMEMORANDUM\n\n\n\nDate:    October 14, 2010                                                      Refer To:\n\nTo:      Patrick P. O\'Carroll, Jr.\n         Inspector General\n\nFrom:    James A. Winn /s/\n         Executive Counselor\n         to the Commissioner\n\nSubject:\t Office of the Inspector General (OIG) Draft Report, \xe2\x80\x9cThe Social Security Administration\xe2\x80\x99s\n         Approval and Monitoring of the Use of Software\xe2\x80\x9d (A-14-10-21082)\xe2\x80\x94INFORMATION\n\n\n         Thank you for the opportunity to review the draft report. Please see our attached comments.\n\n         Please let me know if we can be of further assistance. Please direct staff inquiries to\n         Rebecca Tothero, Acting Director, Audit Management and Liaison Staff at (410) 966-6975.\n\n         Attachment\n\n\n\n\n                                                       C-1\n\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT\nREPORT, \xe2\x80\x9cTHE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S APPROVAL AND\nMONITORING OF THE USE OF SOFTWARE\xe2\x80\x9d (A-14-10-21082)\n\nThank you for the opportunity to review the subject report. We offer the following comments.\n\nRecommendation 1\n\nWe recommend SSA:\n\n \xe2\x80\x9cconsider revising its software approval policy to clearly indicate that software authorized by the\nlocal manager must first go through a central management focal point, such as the OCIO, as part\nof the waiver approval process. \xe2\x80\x9d\n\nResponse\n\nWe agree. As you discuss in footnote 22, we recently restructured the Office of the Chief\nInformation Officer (OCIO) and it now includes the Office of Electronic Information Exchange\n(OEIE). OEIE retains many systems security responsibilities. We believe that by incorporating\nOEIO into the OCIO, we have moved towards some degree of centralization.\n\nRecommendation 2\n\nWe recommend SSA:\n\n\xe2\x80\x9cissue periodic reminders to employees and contractors concerning the Agency\xe2\x80\x99s software\napproval and monitoring policy.\xe2\x80\x9d\n\nResponse\n\nWe agree. In July 2010, we issued a reminder that the installation and the use of unauthorized\nsoftware is prohibited.\n\nRecommendation 3\n\nWe recommend SSA:\n\n \xe2\x80\x9cenforce its software approval and monitoring policy by taking disciplinary action, where\nappropriate, for installing unauthorized software on Agency computers.\xe2\x80\x9d\n\nResponse\n\nWe agree. We will take disciplinary action if appropriate when an employee consciously installs\nunapproved software. If someone does so unknowingly, however, disciplinary action is probably\nunwarranted. In the two incidents OIG describe where the software contained Trojan horses, pg.\n5, 2nd full paragraph, it does appear employees downloaded unauthorized software onto their\n\n\n\n                                               C-2\n\n\x0cworkstations. For the remaining cases, employees did so unwittingly, and we do not believe\ndisciplinary action was warranted.\n\nMalware is usually hidden, and often users are unaware that unauthorized software is being\ninstalled on their computer. It is inappropriate to discipline someone in most of these situations.\nWe must judge each case on its own merits and take action accordingly.\n\nRecommendation 4\n\nWe recommend SSA:\n\n\xe2\x80\x9chave all software monitoring directed by OTSO with implementation by local managers.\xe2\x80\x9d\n\nResponse\n\nWe agree. The Office of Telecommunications and Systems Operations (OTSO) should have\nresponsibility for monitoring infrastructure; however, we will not eliminate monitoring by local\nmanagers. We consider local managers as key in the oversight process.\n\nRecommendation 5\n\nWe recommend SSA:\n\n\xe2\x80\x9cobtain electronic tools to inventory all types of software on Agency computers and prevent\nunauthorized software from being installed.\xe2\x80\x9d\n\nResponse\n\nWe agree that non-standard software may adversely affect agency operations. We will\nreevaluate our current policies and procedures for approving and monitoring software usage. We\nwill also assess our current technical capabilities and identify any technology gaps.\n\nEven with possible changes to our policies, local managers and security officers will continue to\nplay an important role in the process and will actively participate in the approval and registration\nof local or non-standard software. In addition, component security staffs will continue to provide\nlocal guidance and oversight on the use of non-standard software. To enforce our policies, we\nmust rely on component managers and security staffs. While we regularly scan our workstations\nand remove known malware, local managers and security officers within each component must\ncontinue their active role in the approval and oversight processes. We will maintain our efforts\nto prevent the introduction of malicious or destructive software onto our workstations. At the\nsame time, we will weigh the requirements of local managers and security officers within each\ncomponent and make sure they have access to the non-standard software they need to do their\nwork.\n\n\n\n\n                                                C-3\n\n\x0c                                                                     Appendix D\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Brian Karpe, Director, Information Technology Audit Division\n\n   Mary Ellen Moyer, Audit Manager\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Cheryl Dailey, Auditor-in-Charge\n\nFor additional copies of this report, please visit our Website at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Staff Assistant at (410) 965-4518. Refer to Common Identification Number\nA-14-10-21082.\n\x0c                            DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security \n\nChairman and Ranking Member, Committee on Ways and Means \n\nChief of Staff, Committee on Ways and Means \n\nChairman and Ranking Minority Member, Subcommittee on Social Security\n\nMajority and Minority Staff Director, Subcommittee on Social Security \n\nChairman and Ranking Minority Member, Committee on the Budget, House of \n\nRepresentatives\nChairman and Ranking Minority Member, Committee on Oversight and Government \n\nReform \n\nChairman and Ranking Minority Member, Committee on Appropriations, House of \n\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services, \n\nEducation and Related Agencies, Committee on Appropriations, \n\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security Pensions\nand Family Policy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c                         Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations\n(OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations (OER), and Office of\nTechnology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality\nAssurance program.\n                                                  Office of Audit\nOA conducts financial and performance audits of the Social Security Administration\xe2\x80\x99s (SSA) programs and\noperations and makes recommendations to ensure program objectives are achieved effectively and efficiently.\nFinancial audits assess whether SSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of\noperations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s\nprograms and operations. OA also conducts short-term management reviews and program evaluations on issues\nof concern to SSA, Congress, and the general public.\n                                              Office of Investigations\nOI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations.\nThis includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing\ntheir official duties. This office serves as liaison to the Department of Justice on all matters relating to the\ninvestigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State,\nand local law enforcement agencies.\n                            Office of the Counsel to the Inspector General\nOCIG provides independent legal advice and counsel to the IG on various matters, including statutes,\nregulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and\ntechniques, as well as on legal implications and conclusions to be drawn from audit and investigative material.\nAlso, OCIG administers the Civil Monetary Penalty program.\n                                        Office of External Relations\nOER manages OIG\xe2\x80\x99s external and public affairs programs, and serves as the principal advisor on news releases\nand in providing information to the various news reporting services. OER develops OIG\xe2\x80\x99s media and public\ninformation policies, directs OIG\xe2\x80\x99s external and public affairs programs, and serves as the primary contact for\nthose seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal\nand external organizations, and responds to Congressional correspondence.\n                           Office of Technology and Resource Management\nOTRM supports OIG by providing information management and systems security. OTRM also coordinates\nOIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the\nfocal point for OIG\xe2\x80\x99s strategic planning function, and the development and monitoring of performance\nmeasures. In addition, OTRM receives and assigns for action allegations of criminal and administrative\nviolations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides\ntechnological assistance to investigations.\n\x0c'